Written by Ursidae: https://ursidaecyber.com
This guide explains how to use Trezor cryptocurrency hardware wallets on Qubes OS. Unfortunately installing Trezor Suite is not as straight forward as installing other software on Qubes is, so we compiled an exhaustive and ultimate guide on the process.
This guide contains two parts: brief instructions and in-depth instructions. Use whichever is suited to your needs. These are the brief instructions. If you require detailed instructions please see my Github.
Step 1: Install Trezor Suite
-
Install the Trezor Suite .AppImage from the Trezor website along with the signature and signing key in a new Whonix AppVM dedicated to Trezor.
-
Verify the download.
-
Execute code:
sudo chmod u+x /Downloads/Trezor-Suite-23.4.2-linux-x86_64.AppImage
- Right click on the .AppImage file and press execute to open the application.
Step 2: Port Listening
In Trezor Whonix AppVM:
- Execute command:
sudo nano /rw/config/rc.local
- Add the following code to the file:
socat TCP-LISTEN:21325,fork EXEC:"qrexec-client-vm sys-usb trezord-service" &
- Save and exit.
Step 3: Dom0 Trezor Policy
In Dom0:
- Execute:
sudo nano /etc/qubes-rpc/policy/trezord-service
- Add this code to the new file:
$anyvm $anyvm allow,user=trezord,target=sys-usb
- Save and exit.
Step 4: Fedora Cloning
-
Clone your current regular fedora-37 template Qube and name it fedora-37-sys.
-
Clone the fedora-37-dvm Qube and name it fedora-37-sys-dvm.
-
Set the template for the fedora-37-sys-dvm as fedora-37-sys.
-
Set sys-usbās template as fedora-37-sys-dvm.
Step 5: Trezord Service
In fedora-37-sys-dvm:
- Execute in terminal:
sudo mkdir /usr/local/etc/qubes-rpc
- Execute:
sudo nano /usr/local/etc/qubes-rpc/trezord-service
- Add this code to the file:
socat - TCP:localhost:21325
-
Save and exit.
-
Execute:
sudo chmod +x /usr/local/etc/qubes-rpc/trezord-service
Step 6: Trezor Bridge
In fedora-37-sys:
Download the Trezor Bridge .rpm file from Trezor.
- Execute:
sudo chmod u+x /Downloads/trezor-bridge-2.0.27-1.x86_64.rpm
- Then execute:
sudo rpm -i /Downloads/trezor-bridge-2.0.27-1.x86_64.rpm
Step 7: Udev rules
Note on Udev rpm use: Using the Trezor-provided Udev rpm file does not work for Qubes. See in-depth explanation section below. Use the provided Method 1 or 2 here. Use method 1 if comforable with enabling networking in template and method 2 if not.
Method 1: Manual Build
In fedora-37-sys:
- Run:
sudo nano /etc/udev/rules.d/51-trezor.rules
Copy and paste this code into the file:
# Trezor
SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"
# Trezor v2
SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"
-
Save and exit.
-
Execute:
sudo chmod +x /etc/udev/rules.d/51-trezor.rules
OR
Method 2: Curl Installation
-
In fedora-37-sys enable networking.
-
Install curl:
sudo dnf install curl
- Download Udev rules:
sudo curl https://data.trezor.io/udev/51-trezor.rules -o /etc/udev/rules.d/51-trezor.rules
- Allow execution:
sudo chmod +x /etc/udev/rules.d/51-trezor.rules
- Revoke fedora-37-sys networking permissions.
Step 8: Install Trezor Dependencies
In the Trezor Whonix AppVM:
- Install pip:
sudo apt install pip
- Execute:
pip3 install --user trezor
AND
In fedora-37-sys:
-
Allow networking.
-
Execute:
sudo dnf install trezor-common
- Revoke networking permissions in fedora-37-sys.